SecureX-ISE-wf

To demostrate the power of Cisco DevNet and SecureX for threat hunting and incident response,
I've created this use case with two workflows.

Cisco Talos Blog email notification, which triggers CTR investigation with the creation of a new casebook and ServiceNow incident ticket. This is based on the original workflow, with enhancement to use email trigger instead of cron-like scheduler.
SecureX response workflow, which triggers ISE quarantine/un-quarantine via pxGrid ANC for those targets found from the workflow above.

What does it do?

The injestion of IoC’s, in this case Talos blog posts trigged by an email alert (but similarly, twitter feeds etc. could also be used)
Searching the environment (or “Sighting”) for evidence of these IoC’s within the organisation
Leveraging a ticket system (in this case Service Now) to create an incident ticket
Enabling quarantining of infected endpoints through SecureX calling ISE. This could be other Cisco or 3rd party Security enforcement solution, e.g. BGP blackhole, FW/IPS ACL etc.

Workflow 1 - New Talos Blog Email Workflow

Prerequisites:

An email account that supports either POP3 or IMAP. A Gmail account is used as an example in this case.
Cisco SecureX Account
Import 0002-Talos-SingleBlogPostToCTRCasebook from github with all dependencies.
Cisco Webex Team Account (Optional), this is used to receive messages from the workflow.

Installation Steps

Please follow the below steps exactly to get started!

Subscribe to Talos Blog feed email notification

Import "Check New Talos Blog Email.json" to SecureX as a new workflow
Update the Email trigger. See documents of email events and triggers
Send a test email with a Talos blog link and check if the script is triggered.
(Note it could be any security intelligence feed url after modifying the workflow regex)

Workflow 2 - ISE Quarantine Workflow

Prerequisites:

Access to ISE with ANC polices configured
Prepare ISE pxGrid certificates as per instruction
Download pxgrid-rest-ws with securex_ise.py
Ngrok (Optional, used to bypass opening firewall ports to expose Flask app)
Create DUO application as "Partner Auth API"
Cisco Webex Team Account (Optional), this is used to receive messages from the workflow.

Note

The python script is intended for PoC only as it does not authenticate the requests. Additional checking such as JWT is recommended for production deployment.

Installation Steps

find config.py under pxgrid-rest-ws/python and update ISE credentials. e.g.

class Config:
    def __init__(self):
        parser = argparse.ArgumentParser()
        parser.add_argument(
            '-a', '--hostname', help='pxGrid controller host name (multiple ok)', action='append', default=["Your ISE node IP address"])
        parser.add_argument('-n', '--nodename', help='Client node name', default="Your pxGrid Node Name")
        parser.add_argument('-w', '--password', help='Password (optional)')
        parser.add_argument('-d', '--description',
                            help='Description (optional)')
        parser.add_argument(
            '-c', '--clientcert', help='Client certificate chain pem filename (optional)', default="Your certificate.pem")
        parser.add_argument('-k', '--clientkey',
                            help='Client key filename (optional)', default="Your certificate.key")
        parser.add_argument('-p', '--clientkeypassword',
                            help='Client key password (optional)', default="Your certificate password")
        parser.add_argument('-s', '--servercert',
                            help='Server certificates pem filename', default="Your pxGrid CA.pem")
							...

Approve pxGrid client in ISE (Only required once)
Import Toggle IP_MAC Quarantine in ISE.json to your SecureX workflow
Make sure "response" is enabled as the category

Run ngrok on the same computer with securex_ise.py

./ngrok http 5000

Update SecureX Ngrok target URL using the output from the command above.

Run securex_ise.py
Test the workflow with the SecureX pivit menu